Commit graph

213 commits

Author SHA1 Message Date
Xianglin Gao
26645c90ac Make the profile configurable
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Xianglin Gao
1f863846f5 add default apparmor profile
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Xianglin Gao
71b80591e3 support apparmor
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Antonio Murdaca
0e4af6d69d
*: add seccomp buildtag
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-29 17:01:45 +01:00
Samuel Ortiz
60123a77ce server: Export more container metadata for VM containers
VM base container runtimes (e.g. Clear Containers) will run each pod
in a VM and will create containers within that pod VM. Unfortunately
those runtimes will get called by ocid with the same commands
(create and start) for both the pause containers and subsequent
containers to be added to the pod namespace. Unless they work around
that by e.g. infering that a container which rootfs is under
"/pause" would represent a pod, they have no way to decide if they
need to create/start a VM or if they need to add a container to an
already running VM pod.

This patch tries to formalize this difference through pod
annotations. When starting a container or a sandbox, we now add 2
annotations for the container type (Infrastructure or not) and the
sandbox name. This will allow VM based container runtimes to handle
2 things:

- Decide if they need to create a pod VM or not.
- Keep track of which pod ID runs in a given VM, so that they
  know to which sandbox they have to add containers.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-11-29 10:24:33 +01:00
Antonio Murdaca
78ee03a8fc
add seccomp support
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-28 22:05:34 +01:00
Mrunal Patel
b6f1b027eb Merge pull request #213 from runcom/bump-runtime-tools
*: bump opencontainers/runtime-tools
2016-11-24 08:29:43 -08:00
Mrunal Patel
d12c4b68ac Merge pull request #212 from runcom/execsync-fix
execsync: return proper error description
2016-11-24 08:28:45 -08:00
Antonio Murdaca
70481bc5af
*: bump opencontainers/runtime-tools
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-24 12:26:18 +01:00
Antonio Murdaca
cbe2a68ce5
execsync: return proper error description
The gprc execsync client call doesn't populate `ExecSyncResponse` on
error at all. You just get an error.
This patch modifies the code to include command's streams, exit code
and error direcly into the error. `ocic` will then print useful
infomation in the cli, otherwise it won't.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-24 12:11:04 +01:00
HaoZhang
d1e1b7c183 pass sysctls down to oci runtime
Signed-off-by: HaoZhang <crazykev@zju.edu.cn>
2016-11-24 16:29:37 +08:00
Antonio Murdaca
ebe2ea0dba
server: split sandboxes actions
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-22 23:23:01 +01:00
Antonio Murdaca
4447207cf1
server: split images actions
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-22 23:05:37 +01:00
Antonio Murdaca
61bb04c87c
server: split containers actions
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-22 18:38:05 +01:00
Antonio Murdaca
5c94544fb8 Merge pull request #203 from mrunalp/exec_sync
Exec sync
2016-11-21 23:22:20 +01:00
Mrunal Patel
78ecdcd298 Add support for timeout
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-11-21 13:16:32 -08:00
Jacek J. Łakis
0289858d21 Add runtime status commpliant with CRI
Signed-off-by: Jacek J. Łakis <jacek.lakis@intel.com>
2016-11-21 10:19:03 +01:00
Mrunal Patel
52e789c44b Add server implementation for exec sync
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-11-17 16:41:44 -08:00
Mrunal Patel
b62a150151 Update to the latest upstream API
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-11-16 17:20:37 -08:00
Jacek J. Łakis
85f7ebfb48 version: Fix parsing for gRPC version
Signed-off-by: Jacek J. Łakis <jacek.lakis@intel.com>
2016-11-15 09:26:11 +01:00
Pengfei Ni
bbfcf62a0f Set timestamps to nanosecond.
CRI requires all timestamps in nanosends instead of seconds.

Signed-off-by: Pengfei Ni <feiskyer@gmail.com>
2016-11-14 14:26:06 +08:00
Antonio Murdaca
02ec8754f5 Merge pull request #169 from cyphar/make-configurable
server: make more things configurable
2016-11-10 14:55:29 +01:00
Mrunal Patel
5d62a9fbb9 Merge pull request #179 from Crazykev/add-metadata
Return pod metadata in container list and status APIs
2016-11-04 10:00:58 -06:00
Nalin Dahyabhai
ec1bc4d6a8 Handle PodSandboxConfig.DNSConfig.Options
DNSConfig can pass "options" settings in now, so add them to the
resolv.conf that we're generating, too.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2016-11-03 11:57:25 -04:00
Crazykev
87a83e14b0 return pod metadata in container list and status APIs
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-11-02 00:37:40 +08:00
Crazykev
54a022defb restore pod annotations when restart ocid
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-11-01 13:49:21 +08:00
Aleksa Sarai
96c0966ce9
server: make logDir configurable
While logDir isn't currently used (until the conmon implementation
lands) it's probably not a great idea to hardcode our defaults. The main
issue with this setting is that the kubelet can override it at will.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-31 23:26:42 +11:00
Aleksa Sarai
33f47d6a6b
server: make ImageStore configurable
It's a bit odd to have ImageStore be part of the config and yet we don't
allow people to modify it. However, leave it out of the commented
version because it's currently unused.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-31 23:26:42 +11:00
Mrunal Patel
7b60703634 Add logging for all container/sandbox responses
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-28 11:35:14 -04:00
Mrunal Patel
c89157e45c Merge pull request #176 from gao-feng/hidden-infra-container
store infra container in sandbox
2016-10-25 03:25:17 +00:00
Gao feng
78528d9bd1 store infra container in sandbox
infra container is used to implement the pod
sandbox, it should not be exported to user.

this patch stores infra container in sandbox
immediately, only the containers created by user
are stored into container store, this prevents user
from removing/stopping infra container incorrectly.

Signed-off-by: Gao feng <omarapazanadi@gmail.com>
2016-10-24 20:18:19 +08:00
HaoZhang
9c11cc7dba make conmon inherit env from ocid
Signed-off-by: HaoZhang <crazykev@zju.edu.cn>
2016-10-23 19:22:27 +08:00
Antonio Murdaca
af55785b53 Merge pull request #167 from mrunalp/update_api
Update to latest version of kubernetes CRI API
2016-10-22 09:17:59 +02:00
Mrunal Patel
7f726b704a Add more debugs
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-21 11:14:22 -04:00
Mrunal Patel
b117dd863c Update to latest version of kubernetes CRI API
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-21 11:06:30 -04:00
Antonio Murdaca
5290ca593a Merge pull request #166 from mrunalp/image_no_nil
Make image APIs return empty struct instead of nil
2016-10-21 08:10:09 +02:00
Mrunal Patel
cc9ce68463 Make image APIs return empty struct instead of nil
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-20 16:13:41 -04:00
Mrunal Patel
0b76a65033 Set the version to what kubelet expects
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-20 14:51:38 -04:00
Mrunal Patel
4a7ea899b0 Don't share container UTS namespace with pod
kubernetes doesn't share the UTS namespace

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-18 14:17:57 -07:00
Mrunal Patel
5e7d96bd6a Add server side pod filtering support
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-17 12:24:57 -07:00
Mrunal Patel
01c8785ea4 Use Set instead of map for storing pod labels
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-17 11:28:48 -07:00
Mrunal Patel
d2cae34243 Add server side container label filtering
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-13 17:01:31 -07:00
Mrunal Patel
09049fc357 Filter containers by id, pod id and state in container list
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-13 12:40:02 -07:00
Antonio Murdaca
8a9395964e
server/sandbox: fix add/release pod/ctr ids and names
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-13 18:48:23 +02:00
Mrunal Patel
e999610fd6 Merge pull request #115 from cyphar/toml-config
cmd: server: use TOML configuration file
2016-10-11 16:07:25 -07:00
Antonio Murdaca
be2b0cfa50
server/server: skip f no sandbox when restoring containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-12 00:36:34 +02:00
Crazykev
f6536bf30e pod/container name should be released when create failed
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-10-11 20:19:51 +08:00
Aleksa Sarai
7bf5110b76
server: refactor to use Config struct
This paves the way for having a configuration file that is loaded rather
than everything being set via the command-line.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-11 03:10:32 +11:00
Antonio Murdaca
cfa4a341a6
server/container: fix bug when listing container IDs
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-08 14:55:25 +02:00
Antonio Murdaca
217d278623
server/server: check pods/ctrs directories before restore
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-08 14:46:39 +02:00
Antonio Murdaca
54d6ddb5af
server: containers restore
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-08 14:46:39 +02:00
Antonio Murdaca
7c6eb77224 Merge pull request #110 from mrunalp/pod_meta
Return pod metadata in pod list and status APIs
2016-10-07 20:44:40 +02:00
Dan Walsh
cd12a4acfe Can't use SELinux separation when sharing the host pid/ipc namespace
SELinux will cause breakage when sharing these namespaces.  For example it
will block processes inside of the container from looking at the hosts /proc
in hosts Pid Namespace.  It will also block all access to semaphores and
shared memory defined outside of the pod.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-10-07 07:28:12 -04:00
Antonio Murdaca
fbcd609644 Merge pull request #109 from mrunalp/get_sb
Refactor to use helper method to get sandbox from request
2016-10-07 09:44:00 +02:00
Mrunal Patel
d1198fc75b Populate pod metadata in pod list and status APIs
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-06 16:51:13 -07:00
Mrunal Patel
d7e72cb3a2 Refactor to use helper method get sandbox object
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-06 15:34:05 -07:00
Mrunal Patel
ec0b27fffc Add a helper method to get sandbox from request
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-06 15:34:05 -07:00
Mrunal Patel
77afd34a27 Container state fixes
Move Container State constants to oci package
and fixup where strings were used instead of
the status constants

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-06 15:16:21 -07:00
Mrunal Patel
f6a12b865c Refactor to use new helper method to get Container
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-06 12:49:59 -07:00
Mrunal Patel
a56cbb4117 Add a helper to get container from request
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-06 12:49:04 -07:00
Mrunal Patel
027aaf15b7 Merge pull request #100 from rhatdan/selinux
Selinux
2016-10-06 12:28:12 -07:00
Dan Walsh
be77b841fa Add SELinux support to OCID
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-10-06 14:13:06 -04:00
Mrunal Patel
0321870568 Cleanup container directory and state on creation failure
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-06 11:12:39 -07:00
Antonio Murdaca
a5da8a4d1e Merge pull request #97 from mrunalp/ctr_dir_id
Use container ID as the directory name
2016-10-05 23:02:25 +02:00
Mrunal Patel
e82426fa8f Use container ID as the directory name
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-05 12:18:56 -07:00
Mrunal Patel
869f85e4bb Add support for specifying container short IDs
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-05 11:55:45 -07:00
Mrunal Patel
edba913f67 Track container IDs in index
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-05 11:31:41 -07:00
Mrunal Patel
0482a4281a Separate container IDs from container names
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-04 16:57:12 -07:00
Mrunal Patel
484719c8fe Add a function to generate container id and name
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-04 16:15:23 -07:00
Mrunal Patel
3e19549232 Add name and id indexes for containers
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-04 16:00:04 -07:00
Aleksa Sarai
bac579a9e5
server: create pause rootfs manually without Docker
This lessens the Docker requirement for creating sandboxes (with the
requirement only existing for the actual image pulling that is done when
adding a container to a pod). The interface was chosen to match the
--conmon interface, so that the location of the pause binary can be
chosen by a user.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-02 20:11:07 +11:00
Antonio Murdaca
3697a61db9 Merge pull request #84 from mrunalp/pod_attempt
Include attempt in the pod name
2016-10-01 01:06:00 +02:00
Mrunal Patel
d5a8d1bae3 Add annotations for pods
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-30 15:48:31 -07:00
Mrunal Patel
581c17169c Include attempt in the pod name
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-30 15:23:38 -07:00
Mrunal Patel
50bea08c50 Remove containers from state on pod remove
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-30 12:23:48 -07:00
Dan Walsh
f51c98b057 Install conmon in /usr/libexec/ocid/conmon
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-09-29 08:55:12 -04:00
Mrunal Patel
1b3d172377 Ensure containers are stopped on RemovePod
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-28 13:12:38 -07:00
Mrunal Patel
72ac4fe33e Stop container first if it is running on RemoveContainer
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-28 12:24:12 -07:00
Mrunal Patel
e47189c148 Add server impl for listing containers
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-27 15:17:41 -07:00
Antonio Murdaca
4578cc93d1
server: fix panic when listing sandboxes
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-27 10:46:45 +02:00
Antonio Murdaca
f7d3f7a69a Merge pull request #59 from mrunalp/pod_create_bug
Pod create bug
2016-09-27 09:13:40 +02:00
Antonio Murdaca
df2eebbbcd Merge pull request #58 from mrunalp/sb_short_id
Pod short ID
2016-09-27 07:51:54 +02:00
Mrunal Patel
4606f2a61a Fix the build for ocid to cri-o rename
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-26 16:55:12 -07:00
Mrunal Patel
3245810bd6 Release pod name when pod is removed
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-26 15:42:08 -07:00
Mrunal Patel
78aae688e2 Add API to release Pod name when not required
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-26 15:41:58 -07:00
Mrunal Patel
e1b8802848 Fix typo 2016-09-26 15:31:06 -07:00
Mrunal Patel
833333538e Allow specifying short pod IDs for container create
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-26 15:24:33 -07:00
Mrunal Patel
2e387072ac Allow specifying pod IDs by unique prefixes
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-26 15:24:23 -07:00
Mrunal Patel
ecda01c284 Add server impl of list pod sandboxes
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-26 12:45:53 -07:00
Mrunal Patel
7c9aaf34cd Introduce consts for containers states
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-26 12:44:24 -07:00
Mrunal Patel
204b2a645b Populate state in pod status
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-26 11:18:35 -07:00
Antonio Murdaca
ab05a4526b
vendor: bump k8s@5fe2495588425a6613e28a048d8cc7bcb7513c7f
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-26 10:07:46 +02:00
Antonio Murdaca
857aaa7816
cmd/server: provide a flag to set ocid root dir
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-24 00:38:06 +02:00
Mrunal Patel
5475f6b32b Fix lint error
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-23 15:06:12 -07:00
Mrunal Patel
99a7a53309 Cleanup comments
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-23 15:05:23 -07:00
Mrunal Patel
b839ff1093 Fixup pod sandbox status
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-23 15:05:18 -07:00
Mrunal Patel
6eab35c6b5 Fixup remove sandbox logic
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-23 15:04:45 -07:00
Mrunal Patel
2066b68791 Fixup stop sandbox logic
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-23 15:04:07 -07:00
Mrunal Patel
688f689736 Include pod namespace in the pod name
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-23 11:42:45 -07:00
Antonio Murdaca
97f5f809a4
server/sandbox: return id after creation
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-22 18:18:58 +02:00